rpms / kernel

Clone
Source Code
GIT

Blame 0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch

26 Label_NFS f10 f11 f12 f12-user-myoung-xendom0 f13 f13-2.6.33-master f13-user-steved-pnfs-13 f14 f14-user-kyle-bz664206 f14-user-kyle-f14-2.6.37 f14-user-lkundrak-vaio-brightness-645937 f14-user-steved-pnfs-f14 f15 f15-2.6.39 f15-30-going-on-40 f15-user-steved-pnfs-f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f25-pf f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 main oneoffs private-jcm-arm-nosmp-kallsyms private-jcm-arm-nosmp-kallsyms-f17 private-nhorman-sgx-v15 rawhide rhbz_1205083 stabilization talos user/steved/f19-lnfs-v3.8 user/steved/f19-lnfs-v3.8-rc7
  1.   8dff714d968eb246f4b21c025577109279d3393b
  2.   0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch
Blob History Raw
b820dc3 
From 219a3e8676f3132d27b530c7d2d6bcab89536b57 Mon Sep 17 00:00:00 2001
b820dc3 
From: Kairui Song <kasong@redhat.com>
b820dc3 
Date: Mon, 21 Jan 2019 17:59:28 +0800
b820dc3 
Subject: [PATCH] integrity, KEYS: add a reference to platform keyring
b820dc3
b820dc3 
commit 9dc92c45177a ("integrity: Define a trusted platform keyring")
b820dc3 
introduced a .platform keyring for storing preboot keys, used for
b820dc3 
verifying kernel image signatures. Currently only IMA-appraisal is able
b820dc3 
to use the keyring to verify kernel images that have their signature
b820dc3 
stored in xattr.
b820dc3
b820dc3 
This patch exposes the .platform keyring, making it accessible for
b820dc3 
verifying PE signed kernel images as well.
b820dc3
b820dc3 
Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
b820dc3 
Signed-off-by: Kairui Song <kasong@redhat.com>
b820dc3 
Cc: David Howells <dhowells@redhat.com>
b820dc3 
[zohar@linux.ibm.com: fixed checkpatch errors, squashed with patch fix]
b820dc3 
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
b820dc3 
---
b820dc3 
 certs/system_keyring.c        | 10 ++++++++++
b820dc3 
 include/keys/system_keyring.h |  8 ++++++++
b820dc3 
 security/integrity/digsig.c   |  3 +++
b820dc3 
 3 files changed, 21 insertions(+)
b820dc3
b820dc3 
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
b820dc3 
index 81728717523d..da055e901df4 100644
b820dc3 
--- a/certs/system_keyring.c
b820dc3 
+++ b/certs/system_keyring.c
b820dc3 
@@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys;
b820dc3 
 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
b820dc3 
 static struct key *secondary_trusted_keys;
b820dc3 
 #endif
b820dc3 
+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
b820dc3 
+static struct key *platform_trusted_keys;
b820dc3 
+#endif
b820dc3
b820dc3 
 extern __initconst const u8 system_certificate_list[];
b820dc3 
 extern __initconst const unsigned long system_certificate_list_size;
b820dc3 
@@ -266,3 +269,10 @@ int verify_pkcs7_signature(const void *data, size_t len,
b820dc3 
 EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
b820dc3
b820dc3 
 #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
b820dc3 
+
b820dc3 
+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
b820dc3 
+void __init set_platform_trusted_keys(struct key *keyring)
b820dc3 
+{
b820dc3 
+	platform_trusted_keys = keyring;
b820dc3 
+}
b820dc3 
+#endif
b820dc3 
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
b820dc3 
index 359c2f936004..42a93eda331c 100644
b820dc3 
--- a/include/keys/system_keyring.h
b820dc3 
+++ b/include/keys/system_keyring.h
b820dc3 
@@ -61,5 +61,13 @@ static inline struct key *get_ima_blacklist_keyring(void)
b820dc3 
 }
b820dc3 
 #endif /* CONFIG_IMA_BLACKLIST_KEYRING */
b820dc3
b820dc3 
+#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \
b820dc3 
+	defined(CONFIG_SYSTEM_TRUSTED_KEYRING)
b820dc3 
+extern void __init set_platform_trusted_keys(struct key *keyring);
b820dc3 
+#else
b820dc3 
+static inline void set_platform_trusted_keys(struct key *keyring)
b820dc3 
+{
b820dc3 
+}
b820dc3 
+#endif
b820dc3
b820dc3 
 #endif /* _KEYS_SYSTEM_KEYRING_H */
b820dc3 
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
b820dc3 
index f45d6edecf99..e19c2eb72c51 100644
b820dc3 
--- a/security/integrity/digsig.c
b820dc3 
+++ b/security/integrity/digsig.c
b820dc3 
@@ -87,6 +87,9 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm,
b820dc3 
 		pr_info("Can't allocate %s keyring (%d)\n",
b820dc3 
 			keyring_name[id], err);
b820dc3 
 		keyring[id] = NULL;
b820dc3 
+	} else {
b820dc3 
+		if (id == INTEGRITY_KEYRING_PLATFORM)
b820dc3 
+			set_platform_trusted_keys(keyring[id]);
b820dc3 
 	}
b820dc3
b820dc3 
 	return err;
b820dc3 
--
b820dc3 
2.20.1
b820dc3
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.